[jboss-user] [JBoss Microcontainer Development] - Testing jboss-reflect with a SecurityManager enabled

Adrian Brock do-not-reply at jboss.com
Thu Mar 25 15:13:43 EDT 2010


Adrian Brock [http://community.jboss.org/people/adrian%40jboss.org] replied to the discussion

"Testing jboss-reflect with a SecurityManager enabled"

To view the discussion, visit: http://community.jboss.org/message/534062#534062

--------------------------------------------------------------
> Kabir Khan wrote:
> 
> This has been committed against  https://jira.jboss.org/jira/browse/JBREFLECT-109 https://jira.jboss.org/jira/browse/JBREFLECT-109. 
> 
> I did not need the extra permissions in ContainerTestPlugin, all that was needed was a IntrospectionEnumTestCase.properties:
> 
> test.Permission.0=java.lang.RuntimePermission, accessClassInPackage.sun.reflect.annotation
> 
> 
> 
> 
> Without that I got this
> 
> 
> 
> java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.sun.reflect.annotation)
> at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
> at java.security.AccessController.checkPermission(AccessController.java:546)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
> at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1512)
> at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:327)
> at java.lang.ClassLoader.loadClass(ClassLoader.java:250)
> at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:398)
> at java.lang.Class.forName0(Native Method)
> at java.lang.Class.forName(Class.java:247)
> at java.io.ObjectInputStream.resolveClass(ObjectInputStream.java:604)
> <snip/>
> 
> at java.io.ObjectInputStream.readObject(ObjectInputStream.java:351)
> at java.util.HashMap.readObject(HashMap.java:1030)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:974)
> at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1849)
> at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1753)
> at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1329)
> at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1947)
> at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1871)
> at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1753)
> at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1329)
> at java.io.ObjectInputStream.readObject(ObjectInputStream.java:351)
> at org.jboss.test.AbstractTestCase.deserialize(AbstractTestCase.java:352)
> at org.jboss.test.classinfo.test.AbstractClassInfoTest.access$0(AbstractClassInfoTest.java:1)
> at org.jboss.test.classinfo.test.AbstractClassInfoTest$1.run(AbstractClassInfoTest.java:100)
> at java.security.AccessController.doPrivileged(Native Method)
> at org.jboss.test.classinfo.test.AbstractClassInfoTest.testBasics(AbstractClassInfoTest.java:96)
> at org.jboss.test.classinfo.test.ClassInfoEnumTest.testEnum(ClassInfoEnumTest.java:71)
> at org.jboss.test.classinfo.test.ClassInfoEnumTest.testEnumFieldAnnotation(ClassInfoEnumTest.java:64)
That actually looks like a bug to me.

We are assuming that the annotations cached in InheritableAnnotationsHolder can be Serialized, but
there's no guarantee in the spec that Annotations are Serializable.

It just so happens that the ones Sun implements are, but it obviously fails to Serialize them if you have a
SecurityManager enabled due to the package restriction.

In a different JDK they might not even be Serializable.

More correctly we should reget the annotations during the readObject() processing rather than serializing them,
or probably, just let the the state revert back to UNKNOWN_ANNOTATIONS_*.

--------------------------------------------------------------

Reply to this message by going to Community
[http://community.jboss.org/message/534062#534062]

Start a new discussion in JBoss Microcontainer Development at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2115]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-user/attachments/20100325/ba40de5a/attachment.html 


More information about the jboss-user mailing list